Dec 25, 2009

A War We Can Lose -- Chapter 6.9

This
is
another
excerpt from my book on technology, terrorism, and
DHS, tentatively titled "Skating on Stilts." (If you want to
read the excerpts in a more coherent fashion, try the categories on the
right labeled "Excerpts from the book." I'm afraid I can't fix the bug
in TypePad that prevents me from putting them in the category in
reverse-chronological order, but I have started putting chapters up in
pdf form from time to time.) Comments and factual quibbles
are welcome, either in the comments section or by email:
fact.check.baker@gmail.com. If you're dying to order the book, send
mail to the same address. I'm still looking for an agent and a
publisher, so feel free to make recommendations on that score too.

--Stewart Baker

You might think that’s the worst of it.

But it’s not, quite. It’s not just that you could lose your life
savings. Your country could lose its next war. And not just the way we’re used
to losing – where we get tired of being unpopular in some third-world country
and go home. I mean losing
losing:Attacked at home and forced to
give up cherished principles or loyal allies to save ourselves.

Plenty of countries are enthusiastic about using hackers’ tools as
weapons of war. At the start of a 2008 shooting war between Georgia and Russia
over South Ossetia, for example, numerous Georgian websites were swamped by
denial of service attacks. Security researchers found evidence that the attacks
were coordinated and organized by Russian intelligence agencies. The year
before, Estonian government agencies and banks were also crippled by denial of
service attacks after the Estonian government moved a World War II memorial
that had become a symbol of Soviet colonial rule. Estonia’s foreign minister
charged that the Russian government was behind the attacks; Russia denied the
allegation and NATO, and European investigators could not refute the denial.

China has also been accused publicly of audacious computer
attacks. The German Chancellor, Angela Merkel, discovered that her office
computers had been compromised in an attack blamed on the People’s Liberation
Army.India, France, and Taiwan have
also suffered intrusions and attacks attributed to China. The compromise of the
Dalai Lama’s network was also widely blamed on China. Like Russia, China has
consistently denied all charges.

As I said before, in a strategic sense, the denials don’t really
matter. If the attacks weren’t carried out by Russian and Chinese government
agencies, that just means that there are more organizations and countries with
effective cyberintelligence and cyberwarfare capabilities than we thought. And,
in fact, five or ten years from now, there will be. That’s because cyberattacks
don’t require heavy capital investments, the way nuclear weapons or stealth
fighter jets do. Any nation willing to put ten of its best computer experts to
work on a cyberintelligence program could probably have one in a year or two.
(The Conficker worm that brought down British and French military systems could
easily have been written by a single well-trained person.)Many cyberattacks are simply a matter of individual
effort. Put enough smart people on enough targets, and some of them will get
through.

And that’s why attacks on computer networks pose such a strategic
threat to the United States in particular. We are an important intelligence
target for practically every nation on earth. And attacking our networks is
nearly risk free; the list of suspects is about as long as the UN membership
roster. In fact, there are incentives for them to help each other break into
our networks. (“I've seized control an email server at USDA, but what I really
want is USTR’s. Want to trade?I could
throw in the Commerce Secretary’s password to balance the deal.”)

If you’re a foreign government, breaking into US networks is a
twofer. You can start by stealing secrets. But if push comes to shove, you can
use your access to destroy the same systems you’ve been exploiting. Corrupt the
backup files, then bring the whole system down. Or start randomly changing data
and emails until no one can trust anything in the system.

It won’t take much to create chaos. The financial crisis of 2008
became a panic when bankers began to disbelieve each other. No one trusted the
other guy’s books, so they stopped lending, and the world crashed. Could that
same mistrust be created by modifying or destroying a few firms' computer
accounting and trading records?We
probably don’t want to find out.

It’s no secret how to fight a war against the United States. Slow
us down, then cause us pain at home and wait for antiwar sentiment to grow.
Cyberattacks are ideal for that strategy. Everything in the country, from
flight plans and phone calls to pipelines and traffic lights, is controlled by
networks susceptible to attack. A determined, state-sponsored attacker could
bring them all down – and blame it on some hacker liberation front so we wouldn’t
even know who to bomb.

The Pentagon has heard fifty years of warnings about not fighting
land wars in Asia, where hand to hand fighting and sheer numbers can overwhelm
an American army’s technological edge. But now it turns out we’ve opened an
electronic bridge, not just to Asia but to the rest of the world, and now we’re
trying to defend ourselves hand to hand against all comers. It’s hard to see
how that ends well.

***

So that’s the nub of the problem. No law of nature says that the
good guys will win in the end, or even that the benefits of a new technology
will always outweigh the harm it causes.

The exponential growth of information technology has made the
Pentagon far more efficient at fighting wars; it has made our economy far more
productive.